Is it possible to use the Windows 8 Bitlocker Used Space Only option in Windows 7?

I've read the forums and TechNet articles and was able to successfully enable Bitlocker (Used Space Only Encrypted) on Windows 8.1 PC's.  I used MDT 2013 (Setup up Bitlocker settings in the customsettings.ini) to pre-provision Bitlocker in WinPE 5.0 and then at the end of the MDT task sequence it enables bitlocker and sends the recovery key to AD.  Works great and avoids the hassle of waiting for the entire drive to encrypt.

We have Windows 7 PC's in our environment and using the same task sequence settings, appears to enable the Used Space Only encryption in WinPE however once the OS is installed and you check the Bitlocker Status (Manage-bde -status) it shows that the drive is Fully Encrypted.  Once the Task Sequence enables bitlocker, a recovery key is sent to AD successfully and protection is on. It appears to have the same result as with Windows 8.1 Computers however the conversion status reads "Fully Encrypted" versus "Used Disk Space Only". The Windows 7 PC's have a 500 GB Hard Drive and I know they would not fully encrypt that quickly.  Are these Windows 7 PC's using "Used Space Only" encryption but reporting "Fully Encrypted" because maybe Windows 7 doesn't know how to report used space only since it is a Windows 8 bitlocker feature?

Thanks.

May 20th, 2015 8:18pm

Hi

Encrypt Used Disk Space Only is a new option which comes with Windows 8, unfortunately as far as I know this was only added in Windows 8 8.1 BitLocker and not supported by Windows 7.

I also checked with relevant GPOs, they all have At least Windows Server 2012 or Windows 8 on supported comment.

Regards,

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 2:15am

Do you happen to know why then when I pre-provision Bitlocker (For a Windows 7 PC) in WinPE 5.0 via MDT 2013, it shoes "Used Space Only Encrypted" via the "Manage-bde -status" command, however as soon as it installs the OS, if you run the same command it says it is "Fully Encrypted"?  I doubt a 500 GB drive is fully encrypted before the imaging task sequence even finishes, unless Windows 7 doesn't know how to interpret Used Space Only Encryption so it says fully encrypted.  I know it is only "Officially" supported in Windows 8, just was curious if it actually maybe worked though.
May 26th, 2015 3:41pm

That's because WinPE 5.0 is newer than win7. It's at the same level as win8.

But I wouldn't be sure what happens to the data that get's written by win7.

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 9:47pm

That is what I'm trying to find out, what happens to the data in Win 7 since manage-bde -status will say it is fully encrypted however I know that couldn't possibly be. My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption". If it walks like a duck, quacks like a duck...
May 27th, 2015 8:09pm

"My theory is that Windows 7 bitlocker can only say whether it is fully encrypted or not encrypted since it doesn't know how to interpret "Used Space Only Encryption"." - that's no theory, but for sure a fact.

You will need to find out if the data written by 7 is encrypted. I don't see a reason why it wouldn't. But you can only be sure if you take out a drive and use hex editing tools to look at the blocks and see if you can read data or not. Could also be done by windows2go.

I am pretty sure it works alright, though. Cannot imagine data not being written emncrypted then.

Free Windows Admin Tool Kit Click here and download it now
May 28th, 2015 3:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics